Internal Audit Service Draft Internal Audit Plan 2018-19 - Issued by: John Pearsall - Meetings ...

 
Internal Audit Service
            Draft Internal Audit Plan 2018-19

Draft      Issued by:   John Pearsall
                        (Head of Internal Audit, Risk and Insurance)

           Distribution: Audit Committee
Page | 1                 Corporate Leadership Team (CLT)
                         Corporate Governance Group
Contents
  1.           Executive Summary                                                             3

  2.           Introduction                                                                  4

  3.           Responsibilities and Scope                                                    5

  4.           Internal Audit Planning Methodology                                           7

  5.           Characteristics of the 2018-19 Internal Audit Plan                            8

  6.           Resourcing and Delivery of the Internal Audit Plan                            10

  7.           Proposed Work Programme for 2018-19                                           12

  Appendix A   Details of the Proposed Work Programme                                        14

  Appendix B   Consultancy and Assurance work for inclusion in 2018/19 Internal Audit Plan   28

  Appendix C   Audit Categories                                                              29

Page | 2
Executive Summary
1.   The development of the 2018/19 Internal Audit Plan has been undertaken against the continuing backdrop of ongoing fundamental
     strategic and operational change throughout Stockport Council. As a consequence, the audit planning process has been directed and
     governed by the risk environment as it currently stands. There is, however, an appreciation that the control environment, and the
     subsequent risk profile, of the Council, will inevitably change over the next financial year. This will inevitable result in a revised Plan that
     will need to be further risk assessed throughout the year (as happened in 2017/18).

2.   Another fundamental feature of the 2018/19 Audit Plan is the inbuilt flexibility that will allow resources to respond to these changing
     demands for assurance work. This flexible approach has worked positively in the past three years by allowing quick and effective targeting
     of resources to high risk areas as they arose throughout the year. In addition, the Council will inevitably face considerable risk, control and
     governance challenges as key and fundamental projects mature and are embedded in the organisation. This includes the ongoing
     integration of health and social care (Stockport Together), reliance and careful control over third party providers (SPA arrangements), the
     Digital by Design Phase 2 project, the continuing GM devolution agenda and the business rates retention project. Risk will be further
     evident not only in terms of the scale of savings required to be delivered but also the way in which the Council operates. The Audit Plan
     will therefore support these challenges by allowing flexibility in reviewing these areas in the form of sub or mini plans. Any changes within
     the year will be discussed with the Corporate Leadership Team prior to approval by the Audit Committee.

3.   The 2018/19 Plan continues to combine levels of assurance with innovative ways of working. We continue to roll out IDEA software as an
     efficient way of testing key system controls using technology, we provide joint assurance work with Trafford and Rochdale Internal Audit
     services to deliver six key procurement reviews (two reviews per Council) and externally procure Salford Internal Audit services to deliver
     our ICT reviews. This year’s plan also aims to provide further clarity on the activities of three core areas - Internal Audit, Risk Management
     and Counter Fraud. A number of audits have a different approach whereby audit resource is directed to support services and any specific
     financial gain identified from the pieces of work are shared (Personal Budgets, HB Subsidy Grant and business rates are an example).
     Finally the Greater Manchester Devolution Deal presents both opportunities and challenges. The devolution of new powers and budgets
     from government to the GM Combined Authority will require a reformed and complex governance model and the way in which GM wide
     assurance is delivered in the future will require strategic review and change. As part of this process the Head of Internal Audit, Risk and
     Insurance is working closely with colleagues of the nine other members of AGMA to deliver an overall Assurance Strategy that will direct
     the delivery of this assurance in a joint and cost effective way. Lastly discussions are also planned with Mersey Internal Audit Agency to
     determine the most cost effective way to deliver assurances around the Stockport Together programme. This new widening of assurance
     providers demonstrates the way in which Internal Audit is using its limited resources in the most effective way.

Page | 3
1.     Introduction
1.1    This document summarises the results of Internal Audit’s planning work. It sets out the details of the

                Responsibilities and scope of Internal Audit;

                Internal Audit Planning Methodology;

                Characteristics of the 2018-19 Internal Audit Plan;

                Resourcing and delivery of the Council’s Internal Audit service;

                Proposed programme of work for 2018-19 (the Audit Plan).

1.2    The Audit Plan for 2018-19 has been prepared in accordance with the requirements of the Public Sector Internal Audit Standards
       (PSIAS). The PSIAS represent mandatory best practice for all internal audit service providers in the public sector.

1.3    The Council has adopted the PSIAS definition of internal auditing:

           ‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s
           operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve
           the effectiveness of risk management, control and governance processes’.

1.4    In accordance with PSIAS, the mission of internal audit is to ‘enhance and protect organisational value by providing risk-based and
       objective assurance, advice and insight’. The work of internal audit is a key element in delivering the Council’s strategic priority of
       reform and governance, but also supports the Council in achieving all the aims and objectives set out in the Investing in Stockport Plan
       2015-2020 and the Stockport Council Annual Plan.

1.5    The PSIAS require that the Internal Audit Service is delivered and developed in accordance with the Internal Audit Charter. The Internal
       Audit Charter provides the functional and organisational framework in which Internal Audit operates to best serve Stockport Council and
       to meet its professional obligations under the PSIAS. In addition, the PSIAS require the Internal Audit & Risk Manager to prepare an
       annual risk-based internal audit plan, which takes into account the requirement to produce an annual internal audit opinion. This opinion
       statement is a key contributor to the Annual Governance Statement, which the Chief Executive and the Leader of The Council are
       required to sign off alongside the final accounts each year.

Page | 4
2.     Responsibilities and Scope
       Responsibilities of internal audit

2.1    The internal audit function is responsible for:

              Reviewing and developing the Council’s governance processes. Specifically, this includes:

                -    Promoting appropriate ethics and values within the Council;

                -    Supporting effective organisational performance management and accountability;

                -    Communicating risk and control information to appropriate areas of the organisation;

                -    Coordinating the activities of, and communicating information among, the Audit Committee, external audit, internal audit
                     and management.

               Evaluating the effectiveness of the Council’s risk management processes and contributing to their improvement;

               Assisting in the maintenance and development of an effective control environment by providing robust independent assurance
                over its operation.

2.2    In order to fulfil this requirement, Internal Audit is independent of all the activities of the Council. Internal Audit has the right of access to
       all information and records held by the Council and may seek explanations on any matters from any officer or Member of the Authority.

       Responsibilities of management

2.3    The establishment and maintenance of adequate control systems is the responsibility of management. Recommendations made
       by internal audit can reduce risk and improve systems of control. However, the implementation of audit recommendations cannot
       eliminate risk entirely.

       Responsibilities of the Audit Committee

2.4    In regard to internal audit, the Audit Committee is responsible for:

Page | 5
         Approving, but not directing, internal audit’s strategy, plan and monitoring performance;

                Reviewing summary internal audit reports and the main issues arising, and seeking assurance that action has been taken where
                 necessary;

                Receiving and considering the Head of Internal Audit’s annual report.

       Responsibilities for fraud prevention and detection

2.5    The primary responsibility for the prevention and detection of fraud rests with management. Management’s responsibilities include
       creating an environment where fraud is not tolerated, identifying fraud risks, and taking appropriate actions to ensure that controls are in
       place to prevent and detect fraud.

2.6    It is not the role or responsibility of internal audit to detect fraud. However, internal audit will evaluate the potential for the occurrence of
       fraud in each assignment and how the Council manages the risk of fraud.

       Scope of internal audit activities

2.7    The scope of internal audit work includes:

                The entire control environment of the Council, comprising financial and non-financial systems;

                Reviewing controls that protect the interests of the Council in its dealings with partnerships in which the Council has an
                 involvement.

2.8        Internal audit may also provide assurance services to parties outside the Council with the prior agreement of Audit Committee

Page | 6
3.     Internal Audit Planning Methodology
3.1    The approach to audit planning for 2018/19 has been a risk based approach in line with the requirements of the PSIAS and has been
       prepared following consultation with key stakeholders including senior management to establish the key current and emerging risk areas
       faced across the Council. Further consideration has been given to:

                priority areas suggested by Senior and Middle Management;
                a review of the 2018/19 Council Plan and the Borough Plan;
                a review of current strategic, portfolio, project and operational risks, in particular the areas identified within the Corporate Risk
                 Register;
                other existing sources of assurance (eg. external audit, external regulators like Ofsted and the Quality Care Commission and
                 other “second line of defence” assurance like risk management and compliance functions);
                results of previous internal audit work and cumulative audit knowledge and experience;
                known changes to the Council’s business, operations, programs, systems and controls;
                the requirement to ensure sufficient and wide ranging coverage in order to provide a robust annual audit opinion;
                planned work deferred from the 2017-18 Audit Plan that is still considered a priority.

3.2        Potential audit areas have been identified and assessed against the following Risk Categories:

                Strategic/business;
                Operational;
                Financial;
                Credit;
                Compliance;
                Customer Outcome;
                Technology.

Page | 7
4.     Characteristics of the 2018-19 Internal Audit Plan
       Alignment of the Audit Plan to the Council’s Corporate Priorities

4.1    The Audit Plan is presented in a way that shows how each planned review aligns with the Council’s Corporate Priorities. Clearly a
       number of reviews will contribute to more than one priority. For presentational purposes the reviews have been listed under the priority
       that is considered most clearly linked to that review area.

       Budgeted time allocations

4.2    A budgeted time allocation has been set for each assignment included in the Audit Plan. It is accepted that the exact resource
       requirement for each assignment cannot be forecast with certainty. The plan therefore represents the best estimate of the way in which
       the Council’s internal audit resources will be deployed. The overall objective is deliver the plan in line with approved Key Performance
       Indicators and to provide sufficient overall assurance to support the Annual Head of Internal Audit Opinion Report.

       Timing and prioritisation of audit work

4.3    The intention is to complete all planned work within the year. A requirement of the PSIAS standards is that all reviews in the Plan must
       be prioritised following assessment. This is highlighted against each review in appendix A and will take account of:

              The need to finalise any work from 2017/18 that remains incomplete at year-end;
              The need to prioritise the reviews deferred from the 2017/18 Audit Plan;
              The views of management of the service areas in regard to the timing of work;
              Any other factors that may be relevant to the timing of a particular piece of work (for example, external reviews of services),
              Any urgent unplanned work arising;
              Changes in the level of audit resources available.

Page | 8
Significant interim changes to planned work

4.4    The Audit Plan put before the Audit Committee provides a robust basis for internal audit work, whilst acknowledging and ensuring that
       sufficient flexibility is retained to allow us to react to significant changes in the risk environment and to enable assurance to be obtained
       over current and emerging risks. In producing the plan, we have taken account of the current economic and financial pressures on the
       Council and will continue to ensure that we deliver an efficient and effective service in the future.

4.5    As a result, the Audit Coverage Model (Audit Universe) will be reviewed on a regular basis and this will help to support the future
       direction of the Audit Plan by identifying high risk areas that require more immediate independent assurance. All changes and updates
       will be reported to the Corporate Leadership Team and the Audit Committee on a regular basis to allow for discussion and challenge on
       any proposed changes to the plan. There has been an increased demand for service delivery and transformation work and advice in the
       areas of change and the ceasing of services. Therefore a key characteristic of the plan is its flexibility with time being allocated for this
       type of work and time also allocated for contingency and consultancy to be applied to emerging risks and to enable the team to react to
       client demand.

4.6    Periods of change increase the potential for risks both positive (opportunities) and negative (hazards), for example significant change
       provides opportunity for a breakdown in control as well as an opportunity to consider new, more effective and efficient ways of
       organising people, systems and processes without impacting adversely on internal control. To reflect this, the plan includes time for
       consultancy / advice and guidance and project / systems development in order to support and challenge officers in the establishment
       and development of their systems of governance, risk management and internal control.

Page | 9
5      Resourcing and Delivery of Internal Audit Plan
       Resource requirements

5.1    The level of resource required to deliver an effective internal audit service to the Council has been assessed based on the need to
       provide adequate audit coverage of the Council’s:
             Risk management and governance arrangements;
             Front line services;
             Support services;
             Procurement and contract management activity;
             Information management arrangements;
             Key financial systems;
             Anti-fraud and corruption arrangements;
             Schools.
5.2     Account has also been taken of the need to be able to resource:
             Unplanned work which may arise during the year;
             Follow up work to provide assurance that previously agreed recommendations are implemented;
             Provision of advice and consultancy to internal customers.

5.3    The 2018/19 Internal Audit Plan will be managed with a strategic lead and overview from the Head of Internal Audit, Risk and Insurance,
       and delivered predominantly by an experienced and suitably qualified in-house team of 4 FTE auditors. Further resource around risk
       management, counter fraud, insurance, claims handling and highways inspections is now fully embedded within the wider Internal Audit,
       Risk Management and Insurance service. This helps to deliver opportunities of cross utilisation and flexible use of skills between the
       teams, as well as provide a source of flexible resource to assist in the delivery of the Audit Plan.

Page | 10
5.4    A resource calculation has determined the net number of days available to undertake audit work in 2018/19 as 994 days. This is based
       on:
            30% of Head of Audit, Risk and Insurance resources representing the time spent on strategic audit management;
            A current internal audit structure of one CSS Audit Manager (55% of available time and 45% management time), supported by
              two full time CSS Senior Officers and one full time CSS Officer;
            Further resources available from the Risk Management and Counter Fraud team of one Risk Manager (80% deployed on an
              ongoing advisory / consultancy basis on high risk projects), 0.8 FTE CSS Senior Officer (50% deployed on an ongoing advisory /
              consultancy basis on Stockport Together and 50% on audits) and one CSS Officer dedicated to counter fraud work.

5.5    The actual days required in the Internal Audit Plan 2018/19 is 1075 days. The total resource was deducted from actual days required in
       the Plan and a difference of 81 days is evident.

                                                                                                           2017/18              2018/19
                Resources available
                Total available days 1                                                                      1,371                 1,464
                Less: Non Chargeable time 2                                                                  (130)                (270)
                Less: Consultancy & Assurance work (Appendix B)                                              (220)                (200)
                Net Days available for SMBC Internal Audit                                                  1021                  994
                Resources required
                Total planned days in the Internal Audit Plan                                               1,080                1,065

                Difference of Resource Available to Resource Required                                        (59)                  (71)
                Note 1: After deduction of annual leave, bank holidays and sickness provision. This now includes time by the Head of Internal Audit, Risk and Insurance in 2018-19, and takes
               into account a three month vacancy with respect to the Counter Fraud Officer.
               Note 2: Training, administration, team & SMT meetings, external meetings in 2017/18. This has been expanded in 2018-19 to include time spent by the Head of Internal Audit,
               Risk and Insurance on audit planning, audit management, and audit committee reporting duties. This time was not included in the 2017/18 Plan.

Page | 11
6      Proposed Work Programme for 2018-19
6.1    The table below shows the planned days against each corporate outcome. Details are set out in Appendix A.

        Corporate Outcome                                                                        Planned Days

        People are able to make positive choices and be independent                                                165

        People who need support get it                                                                             250

        Stockport benefits from a thriving economy                                                                 110

        Stockport is a place people want to live                                                                    90

        Communities in Stockport are safe and resilient                                                             70

        Reform and Governance                                                                                      330

        Other Work
        Follow-ups                                                                       40
        Completion of 2017-18 work                                                       10                         50

        Total Planned Days                                                                                         1065

6.2    The chart below shows how the total number of days is allocated across the various categories of assurance work to contribute to the
       provision of the annual audit opinion. (An explanation of the various categories of assurance work is set out in Appendix C).

6.3    The chart below shows how the total number of days is allocated across the various categories of assurance work to contribute to the
       provision of the annual audit opinion.

Page | 12
Financial systems        Programme /
                                     ICT          6%                   Project
                    Compliance        2%                                 22%
                       15%

                                                                                 Strategic /
            Pro-active anti-
                                                                                Governance
                 fraud
                                                                                   review
                  11%
                                                                                     10%
                            Contract /
                                                               Service Review
                           Procurement
                                                                     22%
                               12%

Page | 13
APPENDIX A

1.      People are able to make positive choices and be independent
 Audit Review                    Days   Risks context                                           Planned coverage                       Audit Category
 Stockport Together               80    The health and social care system in Stockport is       Reviews of the arrangements           Programme / Project
                                        unsustainable in its current form. If working           around specific delivery projects
                                        practices do not change, the financial position is      to ensure that the Council is
                                        set to deteriorate so that by 2020/21, if no action     delivering the long term financial
                                        is taken there will be a c£154m deficit.                savings and has adequate
                                                                                                arrangements to manage risk as
                                        The Stockport Together partners are undertaking
                                                                                                the programme progresses.
                                        a fundamental change in the way health and
                                        social care services are delivered, organised and
                                        commissioned.

 Adult social care residential    25    The Borough currently has over 50 private and           Review of the arrangements           Strategic / Governance
 market (including the                  not-for-profit care homes for older people              around market shaping and                    review
 Borough Care project)                  providing approximately 2000 beds. The Council          market capacity activities and
                                        does not own any residential provision for adults.      developing a sustainable care
                                                                                                home market within the
                                        The Council is responsible for working in
                                                                                                borough.
                                        partnership with existing and potentially new
                                        providers of adult social care residential homes in
                                        order to develop a sustainable market. There are
                                        a number of issues facing the Council, in
                                        particular risks around the capital costs of building
                                        new residential homes and financial difficulties by
                                        existing providers with resulting home closures.

 Care management budgets          25    There continues to be significant financial             Review of the arrangements              Service Review
 and market management                  pressures within the care management services           around the development of
                                        for residential and nursing care and non-               measures to improve the
                                        residential services. This is related to the increase   efficiency and effectiveness of
                                        in the transfer of clients back into the community      the service and the market
                                        from Delayed Transfers of Care (DTOC) out of            whilst maintaining financial
                                        hospital.                                               resilience.

 Homecare                         15    Demand for home care is currently exceeding             Review of the commissioning          Procurement / Contract
                                        supply in the market with waiting lists for             arrangements for Homecare to

Page | 14
APPENDIX A

 Audit Review                Days   Risks context                                          Planned coverage                    Audit Category
                                    packages of care growing faster than additional        ensure value for money is
                                    capacity is being identified. A key priority for       achieved.
                                    2018/19 is the recommission of reformation of
                                    homecare and this model of provision will be
                                    integrated into neighbourhood care.

 Personal Budgets – Direct    20    Nationally, there has been a rise in the number of     A new approach by Internal         Pro-active anti-fraud
 Payments                           fraud cases identified in adult social care,           Audit will seek to undertake
                                    particularly around where direct payments were         substantive audit testing of
                                    not being used to pay for the care of the              individual direct payment cases.
                                    vulnerable adult. In addition, the value of the loss
                                    has started to increase.
 Total                       165

Page | 15
APPENDIX A

2.       People who need support get it
 Audit Review                       Days   Risks context                                        Planned Coverage                            Audit Category
                                                                                                                                            Programme /
 Stockport Family                    10    The forecast outturn for Children and Family         Risk advice, ongoing consultancy
                                                                                                                                            Project
                                           services is a large deficit of £4m by March 2018.    support.
                                           A financial recovery plan is in place.
                                                                                                                                            Service review
 Adult safeguarding investigation    20    The safeguarding investigation process is key to     A review is of how safeguarding
 procedures                                the safeguarding of adults. It is important that     investigations are undertaken, how
                                           the investigation process is robust and ensures      the decision making process is
                                           appropriate sound, professional, evidence-           quality assured and the
                                           based decisions on the protection of individuals     independence of case conferences
                                           and others are made.                                 will be undertaken. In particular it will
                                                                                                examine the conversion rates
                                                                                                between safeguarding referrals,
                                                                                                Section 42 investigations and case
                                                                                                conferences.

 Regional Adoption Agency –          20    Adoption Counts is a new collaborative               A review of the performance and             Service Review
 Adoption Counts                           partnership agency established in July 2017 and      financial management arrangements
                                           is hosted by the Council. New partnership            over the new agency will be
                                           working arrangements and financial                   undertaken to ensure that risks to
                                           arrangements are in force.                           achieving its objectives are
                                                                                                effectively mitigated.

 Looked after children (LAC) –       20    Further increases to numbers of LAC resulting in     A review of the process to place            Service review
 funding, external placements              further financial pressures in respect of external   LAC, in particular, market
 and market management                     placements, difficulties in sourcing placements      management, placement searches,
                                           and difficulties in agreeing responsibility for      commissioning and process for
                                           funding. This is a key element to be controlled      agreeing weekly rates, and approval
                                           as part of the Stockport Family Recovery Plan.       of funding.

 Foster care payments (internal)     20    The foster care payments system is now under         A review of the payments process,           Service review /
                                           new management and there are risks around            including expenses and additional           Compliance / Pro-
                                           ensuring accuracy, timeliness and completeness       payments to ensure procedures are           active anti-fraud
                                           of payments to foster carers.                        robust and mitigate risks.

Page | 16
APPENDIX A

 Audit Review                      Days   Risks context                                          Planned Coverage                         Audit Category
 Dial Park Children Home            10    The children home is well established and is           A review of the governance and           Service Review /
                                          timely for an overview of the arrangements to          financial arrangements at the            Compliance
                                          ensure risks over inappropriate payments are           establishment will be undertaken with
                                          being mitigated. This will inform arrangements         a view to providing assurance on the
                                          for the new children home that has recently            adequacy of the arrangements and
                                          opened.                                                compliance with financial regulations.

 Recharges to CCG for joint care    20    The Council and the CCG have agreed joint              A review of the approval and financial   Service Review
 of clients                               funding for certain adults, particularly those in      procedures around recharging of
                                          receipt of continuing health care and S117             costs in relation to agreed joint care
                                          aftercare. The process for approval of joint care      of service users.
                                          and the financial procedures for recharges are
                                          not robust as it should be.

 Troubled Families (TF)             15    This is a national initiative in an effort to reduce   As the result of new arrangements,       Service Review
                                          the number of families that were defined as            the audit approach has changed from
                                          having or causing problems to the community            2018. We will focus on the
                                          around them. Such families were also seen to           verification of the quality assurance
                                          place high costs on the public sector.                 and decision making processes
                                                                                                 around case management.
                                          Internal audit involvement in the first phase of
                                          the Troubled Families Programme was
                                          predominantly data-focused focusing on
                                          payments by results. Within the context of
                                          devolution, a new agreement has been reached
                                          and approval for GM authorities to have their
                                          own financial framework. As part of this the GM
                                          has agreed a TF Outcomes Plan which sets out
                                          the targets and metrics that the programme will
                                          strive towards and ultimately be measured
                                          against.
                                          It is a requirement for Internal Audit to verify the
                                          outcomes.

Page | 17
APPENDIX A

 Audit Review                   Days   Risks context                                      Planned Coverage                          Audit Category
 School admissions               15    Schools admission is a high profile area and       A review of the school admissions         Service Review &
                                       with demand for school places increasing at        process will be undertaken with a         Proactive anti-fraud
                                       specific schools in the borough, it is important   focus on proactive anti-fraud             review
                                       that procedures are robust and detect fraudulent   measures.
                                       applications.

 Schools and a Pupil Referral    100   The Council has nearly 100 schools that are        A standard audit programme has            Compliance
 Unit (PRU)                            responsible for setting their own budgets and      been developed for school audits,
                                       managing their finances. The frequency of          which is tailored to each school as
                                       school audit visits is determined by a risk        required.
                                       assessment based on audit assurance ratings,
                                                                                          25 schools will be visited in the year,
                                       change in Headteacher and business manager,
                                                                                          including the Highfields Inclusive
                                       financial position and any known governance
                                                                                          Partnership.
                                       issues.

 Total                          250

Page | 18
APPENDIX A

   3.       Stockport benefits from a thriving economy
 Audit Review                     Days   Risks context                                     Planned Coverage                     Audit Category
 Stockport Exchange – Phase 3     15     Stockport Exchange is a major regeneration        We will continue to attend the       Programme / Project
                                         scheme and represents substantial investment      established Project Board
                                         by the Council to help encourage economic         meetings to ensure key risks are
                                         growth.                                           discussed and managed.
                                         The project due to its speculative nature and
                                         significant borrowings comes with high risks.

 Redevelopment of Merseyway       15     The redevelopment of Merseyway represents         We will continue to attend the       Programme / Project
                                         a substantial investment by the Council to help   established Project Board
                                         encourage economic growth and to improve          meetings to ensure key risks are
                                         the quality of life for residents.                discussed and managed.
                                         Development schemes can often have
                                         complex funding arrangements and frequently
                                         involve working with partner organisations.

 Markets and Underbanks           10     A significant investment programme is             We will continue to attend the       Programme / Project
                                         underway to revitalise the markets and            established Project Board
                                         underbanks area. There are a large number of      meetings to ensure key risks are
                                         projects underway, which makes it important       discussed and managed.
                                         that adequate programme and project
                                         arrangements are in place to ensure
                                         successful delivery.

 Review of income and lettings    20     Merseyway, Red Rock and Aurora are new            We will review the arrangements      Service Review
 risks at Merseyway. Aurora and          and significant assets to the Council and there   over lettings and collection of
 Red Rock                                are risks around ensuring units are let and       income.
                                         income is maximised.

 Town Centre Access Plan          15     The TCAP represents a substantial capital         We will review the arrangements      Programme / Project
 (TCAP)                                  programme with significant funding from the       to ensure the Council protects its
                                         Local Growth Fund, and involves partnership       interests and manage risks to the
                                                                                           capital programme.

Page | 19
APPENDIX A

 Audit Review                   Days   Risks context                                        Planned Coverage                    Audit Category
                                       working with Transport for Greater
                                       Manchester.

 Governance arrangements over   20     There is a significant level of regeneration         We will examine the strategic and   Strategic /
 highways improvement works,           works and highways improvement works within          governance arrangements the         Governance
 public realm and town centre          the Town Centre that are managed by different        Council has in place over the
 management and regeneration           services within Place. These poses risks that        Town Centre to ensure risks to
                                       these arrangements are not maximised to              the regeneration programme and
                                       achieve the outcomes desired.                        the highways improvement works
                                                                                            are minimised.

 Governance arrangements over   15     The Council has established a wholly owned           The audit will examine the          Strategic /
 Stockport Hotel Management            subsidiary company to run the hotel (through a       governance and financial            Governance
 company                               contract with Interstate Ltd). It is an innovative   arrangements that the Council
                                       new income stream for the Council.                   has in place over the hotel
                                                                                            company.

 Total                          110

Page | 20
APPENDIX A

   4.       Stockport is a place people want to live
 Audit Review                    Days   Risks context                                       Planned Coverage                           Audit Category
 SEMMMs                          15     This is a significant capital programme, in the     We will continue to attend the             Programme / Project
                                        region of £230million. Further proposals are in     established Project Board meetings to
                                        place for new additional road schemes as part       ensure key risks are discussed and
                                        of the SEMMMs strategy.                             managed.

 Highways reactive maintenance   20     The Council performance in defending against        We will undertake a review of the          Service Review
 – repairs defects categories           highways claims has been poor in the past.          arrangements against the new repairs
                                        Significant work has been undertaken to             defects categories to ensure repudiation
                                        review the repairs defects categories to            rates are improved.
                                        improve the repudiation rates.

 Public Realm – client side      20     As part of the austerity programme, the             A review of the new SLA arrangements       Contract /
 monitoring of Solutions SK             Council has reduced its payments to SSK. This       between Public Realm and the Council       Procurement
 (SSK)                                  presents risks to the delivery of the service to    to ensure key risks around delivery of
                                        members of the public.                              services are mitigated.

 Housing strategy – Affordable   20     In line with national trends, Stockport faces a     We will undertake a review of the          Service Review and
 housing delivery / Viaduct             housing crisis. A strategy is in place to develop   oversight and performance management       Contract /
 Housing Partnership                    affordable housing and there are risks to the       arrangements of the delivery of the        Procurement
                                        achievement of this housing delivery                affordable housing programme including
                                        programme.                                          the new Viaduct Housing Partnership.

 Highways Code of Practice       15     The Highways Code of Practice recently              We will undertake a review of the risk     Service review
                                        issued in 2016 has changed the focus from           based approach undertaken by the
                                        reliance on specific guidance and                   Council to implement the key provisions
                                        recommendations in previous codes to a risk-        of the code of practice. As part of this
                                        based approach determined by the local              review, we will review the Council’s
                                        authority.                                          processes for approving the new
                                                                                            arrangements.

 Total                           90

Page | 21
APPENDIX A

   5.       Communities in Stockport are safe and resilient
 Audit Review                     Days   Risks context                                     Planned Coverage                             Audit Category
 Community Safety                 20     Following the 2016 restructure of community       Review of the strategic and operational      Strategic /
                                         safety, the operational functions are now         arrangements within the Council with         Governance
                                         managed primarily within the People and Place     respect to its links to the Community
                                         directorates, whilst the strategic functions      Safety partnership and strategic
                                         relating to the Council’s statutory               priorities.
                                         responsibilities are governed through the Safer
                                         Stockport Partnership.
                                         There is a risk that the strategic and
                                         operational arrangements are not aligned with
                                         each other.

 Taxi licensing computer system   10     The service has recently implemented a new        We will continue to use IDEA to              ICT / Service review
 – data quality checks                   case management system. This has been             compare the information between the
                                         problematic with significant errors in the        Civica APP system to the new IDOX
                                         information migrated from the Civica APP          management system to support the
                                         system to the new IDOX management system.         service to improve the data quality of the
                                                                                           new system.

 Community Investment Fund        10     This is a new community initiative and involves   Consultancy and risk advice will       Programme / Project
                                         new financial processes.                          be provided in the beginning of
 (Two phase review)
                                                                                           the year as the new arrangements
                                                                                           are developed.

                                  15                                                       In the last quarter of the year, the   Service Review
                                                                                           audit will examine the new
                                                                                           financial arrangements over the
                                                                                           administration of the Community
                                                                                           Investment Fund.

 CCTV / Control / Patrol          15     There are a number of risks around the            In the latter part of the year, we will      Service review and
 arrangements                            provision of this service provided by Solutions   undertake a review to provide assurance      Contract /
                                         SK, in particular around the level of service                                                  Procurement

Page | 22
APPENDIX A

                 required, management arrangements of the     that adequate controls have been put in
                 service and clarity over the costs.          place to mitigate the risks.
                 A process improvement service is currently
                 being undertaken.
 Total      70

Page | 23
APPENDIX A

   6.       Reform and Governance
 Audit Review                     Days   Risks context                                     Planned Coverage                            Audit Category
 Supplier / Partnership working     10   Following the administration of Carillion, the    Ongoing consultancy support / risk          Programme / Project
                                         Council’s property services provider, the risks   advice with the current Property
                                         around ongoing delivery of property services,     Services provider
                                         in particular via the supply chain has
                                         increased significantly.

 Supplier / Partnership working     20   Following the administration of Carillion, the    Strategic review of controls around               Contract /
                                         Council’s property services provider, the risks   supplier and third party risk               Procurement / Service
                                         around ongoing delivery of property services,     arrangements.                                      Review
                                         in particular via the supply chain has
                                         increased significantly.

 Digital by Design – Phase 2        10   This is a significant capital programme           Reviews of the arrangements around           ICT / Programme /
                                         designed to create new platform and data          specific delivery projects to ensure that          Project
                                         warehouse to enable future service and            the Council has adequate arrangements
                                         transactional level interfaces.                   to protect its interests and manage risks
                                                                                           as the digital solutions are implemented
                                         There are inherent risks around programme
                                                                                           and rolled out
                                         management, in particular ensuring costs are
                                         well managed and anticipated benefits are
                                         achievable.

 Implementation of General Data     5    The new GDPRs come into force this May            Ongoing advice and consultancy              Programme / Project
 Protection Regulations (GDPR)           2018 which replace the Data Protection Act        support with the Project Team
 / Information governance                1998. The GDPR goes beyond the current
 programme management                    requirements of the Data Protection Act, and
 arrangements                            the Council need to ensure that the way they
                                         collect, process and store personal data and
                                         information will comply with the new
                                         regulations. Penalties for non-compliance is
                                         significant.

Page | 24
APPENDIX A

 Audit Review                    Days   Risks context                                       Planned Coverage                              Audit Category
 Compliance with GDPR              20   The new GDPRs come into force this May              A review of the effectiveness of the              Compliance
                                        2018 and the penalties for non-compliance is        arrangements to comply with the
                                        significant.                                        provisions of the GDPR.

 Traded Services / Income          10   A number of services across the Council have        Review of the arrangements around             Programme / Project
 Generation                             income targets, which combined, amounts to          developing the traded services offer and
                                        £560,000, where they seek to either achieve         generate income to ensure income
                                        full cost recovery for existing arrangements or     targets are achieved.
                                        to generate income in new arrangements.
                                        This is a challenging task for many services,
                                        and there is a risk that these income targets
                                        may not be achieved.

 Business Continuity – Service     10   It is a statutory duty under the Civil              We will undertake a review of the               Service Review
 level                                  Contingencies Act 2004 for local authorities to     Council’s service business continuity
                                        develop business continuity plans for all of the    plans to ensure that arrangements for
                                        functions they provide.                             resilient networks, services and
                                                                                            business critical information are in
                                        At a time when changing social, political and
                                                                                            place, in the event of threats or disaster.
                                        economic situations are forcing local
                                        authorities to be more innovative, the risks
                                        around continuing resilience has increased.

 IR35                              10   From April 2017 important changes to the tax        We will undertake a review to ensure              Compliance
                                        legislation dramatically affects how public         that adequate and effective controls are
                                        sector organisations procure resources and          in place to minimise business risk to the
                                        professional services. There is a risk that there   Council with respect to the IR35
                                        is a lack of decision making or effective           legislation and to provide assurance
                                        decision process over the assessment of             that all the requirements of the HMRC
                                        existing and new contractual arrangements           changes have been implemented.
                                        with potential IR35 applicable workers and new
                                        suppliers. This could lead to fines being levied
                                        against the Council.

Page | 25
APPENDIX A

 Audit Review                      Days   Risks context                                      Planned Coverage                             Audit Category
 Implementation of social care       15   The Services to People directorate has             We will review the arrangements to           ICT and Programme /
 case management system                   recently procured a joint case management          implement the new case management                  Project
                                          system from Liquid Logic.                          system to ensure that the key risks are
                                                                                             effectively mitigated.
                                          A fundamental review of the business
                                          processes are being undertaken both within
                                          Children and Adult Social Care prior to the
                                          implementation of the Liquid Logic system.
                                          There are significant risks around the
                                          implementation of the new system given the
                                          wide ranging of information requirements
                                          across a vast range of complex services.

 Service Planning and                10   Public sector austerity is unlikely to change in   Consultancy and risk advice will be           Programme/Project
 Performance management                   the medium term, and the Council need to           provided in the beginning of the year as
 arrangements                             keep a focus on their budget and delivering        the new improved arrangements are
                                          more savings and efficiencies through to 2021.     developed by the Policy and
 (Two phase review)
                                                                                             Performance service.
                                          The pressures remain as demand is rising                                                             Strategic /
                                          across the Council for all their services with     In the last quarter of the year, a review        Governance
                                     20   rising inflationary costs and reducing support     of service planning, financial and
                                          from the Government.                               performance management
                                                                                             arrangements will be undertaken in the
                                          Linked to this is a greater focus on service
                                                                                             three directorates.
                                          planning and performance management, so
                                          that the Council can respond quickly to any        We will report our findings to the
                                          areas that are struggling and put in place the     relevant directorate Senior Management
                                          right support.                                     Team.

 Business Rates collection           15   From April 2017, 100% retention of business        We will undertake a review of the              Financial system
                                          rates is being piloted across the Greater          arrangements to identify all business
                                          Manchester region. This consequently               rates liabilities and utilise IDEA as part
                                          increases the importance to the Council of         of this review.
                                          maximising the collection of business rates.
 Key financial systems (Debtors,     30   These systems provide material disclosures         High level reviews evaluating and             Financial systems
 Creditors, Payroll, Treasury             for the financial statements.                      testing the effectiveness of the key
 Management)                                                                                 controls within each financial system

Page | 26
APPENDIX A

 Audit Review                      Days   Risks context                                     Planned Coverage                             Audit Category

 Cybersecurity (as this audit is     0    Media reports of organisations that have fallen   Salford Computer Audit Services will                 ICT
 undertaken by Salford Audit              victim to a cyber-attack are increasingly         undertake this audit. The audit will
 Services there are no allocated          widespread. Incidents may include loss of         examine the steps that the Council has
 days required here)                      customer data, financial loss or denial of        taken to identify its cyber-risk exposures
                                          service. The consequences of such events          and to protect the various information
                                          can lead to fines, service disruption and         assets that could be affected by a
                                          reputational loss.                                cyber-attack (such as hardware,
                                                                                            systems, data etc.).
                                          Increased use of technology and openness to
                                          the internet makes the Council increasingly at
                                          risk of cyber-attack

 Cybersecurity Contingency           10                                                     The review will also cover arrangements         Service review
 Arrangements                                                                               for contingency planning in the event of
                                                                                            a cyber-attack.

 Subject access rights (SAR)         15   The introduction of GDPR brings some              We will undertake a review of the               Service review
 and Freedom of Information               changes to the processes for dealing with         arrangements to process SAR/FOI
 (FOI)                                    subject access rights and freedom of              requests
                                          information requests.

 Housing Benefits including          15   Housing Benefits is a complex system and          We will undertake a review of the              Financial system
 subsidy claim                            vulnerable to fraud and errors, and in            Housing Benefit system and the
                                          particular the benefits subsidy claim remains a   arrangements for producing the subsidy
                                          risk. The DWP expect zero errors and the          claim. We will also used IDEA software
                                          impact of any subsidy qualification is            to review the adequacy of reports via
                                          potentially very large.                           the Civica system.

 National Fraud Initiative           30   NFI matches data across organisations and         Co-ordination and investigation of the       Pro-active anti-fraud
                                          systems to help public bodies identify            data matches identified from the
                                          anomalies which may signify fraudulent claims     exercise.
                                          and transactions. The Council is required by
                                          law to participate in NFI.

Page | 27
APPENDIX A

 Audit Review                     Days   Risks context                                      Planned Coverage                            Audit Category
 Corporate credit cards             15   The use of corporate credit cards is a high risk   We will undertake a review of the           Pro-active anti-fraud
                                         area vulnerable to fraudulent activities.          controls over using corporate credit
                                                                                            cards, authorisation of payments and
                                                                                            reconciliation. As part of our work, we
                                                                                            may utilise IDEA.

 Data matching of benefit           15   The current processes do not allow for             We will use IDEA to undertake data          Pro-active anti-fraud
 payment records between                 appropriate data sharing arrangements, and         matching of benefit payment records to
 Housing & Council Tax, Section          therefore there is a risk of duplicate payments    identify any duplicate payments
 17 and Stockport Local                  or payments being made which the service
 Assistance Scheme                       user is not entitled to.

 STAR Procurement –                 15   TBC                                                TBC                                             Contract /
 performance management                                                                                                                    Procurement
 arrangements

 STAR Procurement – topic to        15   TBC                                                TBC                                             Contract /
 be determined                                                                                                                             Procurement

 Certification work                 15   Every year the Council receives grant funding      Annual review of key grants received to         Compliance
                                         for specific initiatives                           confirm expenditure is in line with grant
                                                                                            terms and conditions.

                                                                                            This will also involve the annual review
                                         It is a requirement that the Head of Internal
                                                                                            of charitable accounts to confirm
                                         Audit signs a declaration to confirm that the
                                                                                            income and expenditure presents a true
                                         conditions of funding have been complied
                                                                                            & fair view.
                                         with.

 Total                             330

Page | 28
APPENDIX B

Consultancy and Assurance work for Inclusion in 2018/19 Internal Audit Plan

                 Review                                                              Description                                                   Days
 Continuous auditing / monitoring      Provision for further rollout of model on key areas and design of key reports. Review of results in          50
                                       partnership with relevant departments

 Consultancy / advisory                Consultancy resulting from requests for ad hoc advice on risk and control matters                            25

 Project Development                   Advisory work in response to management requests for risk and control advice during key project              25
                                       implementation or system redesign (this relates to requests from services outside of the Investing in
                                       Stockport Programme of Growth and Stockport Together)

 Management reviews / investigations   Undertaking unplanned reviews or investigations as matters arise during the year or as directed by           40
                                       the Fraud & Irregularities Panel

 External Work                         Provision of Internal Audit services to SSK                                                                  60

 Total consultancy and assurance
                                                                                                                                                   200
 work

Page | 29
APPENDIX C

Audit Categories

               Category                                                                       Description

                GM assurance                 A programme of reviews which involves joint working with Greater Manchester Internal Audit teams

       Strategic/corporate governance        A programme of reviews identified to be the highest risk to the Council’s current objectives, strategic in nature and
                                             is cross cutting across several services within the Council.

        Programme and Project audit          Reviews on specific programmes and projects considered to be the highest risk to the Council’s current objectives

               Service reviews               A programme of reviews identified to be high risk but impacts on one service within the Council.

            Financial systems audit          A programme of financial system reviews considered high risk

        Contract / procurement audit         Reviews on specific procurement activities and contracts considered high risk.

             ICT / Computer audit            Commissioned audit reviews of a technical nature from Salford Computer Audit Services. Combined with reviews
                                             to be delivered in-house.

             Pro-active anti-fraud           A programme of proactive anti-fraud reviews, risk assessed for the potential of fraud (including the National Fraud
                                             Initiative)

                School audits                A programme of school visits identified as highest risk taking into account any key changes in personnel, systems
                                             and finances.

              Compliance audit               A programme of reviews identified as highest risk

       Continuous Auditing/Monitoring        A resource dedicated to the review and support of continuous auditing/monitoring.

   Consultancy, project support and advice   On-going consultancy work provided at the request of management and other stakeholders.

               Certification work            Independent verification work required by grant funding bodies and legislation.

                Investigations               Ad hoc Investigations into suspected fraud and irregularities.

Page | 30
You can also read
NEXT SLIDES ... Cancel